Developing Expertise in Software Security: An Outsider's Perspective. Gary McGraw & Anup K. Ghosh. Abstract
|
|
- Bathsheba Osborne
- 5 years ago
- Views:
Transcription
1 Developing Expertise in Software Security: An Outsider's Perspective Gary McGraw & Anup K. Ghosh Reliable Software Technologies Corporation Ridgetop Circle, Suite 250 Sterling, VA (703) May 16, 1996 Abstract This document is presented as a preliminary position paper meant to help foster discussion at the Invitational Workshop on Computer Vulnerability Data Sharing. We argue for the development of a centralized database of security vulnerabilities including exploitation information for use by legitimate researchers in computer security. This work was supported in part by a grant number F C-0282 from the U.S. Department of Defense Advanced Research Projects Agency. 1
2 1 A legitimate need for vulnerability data Information system security is gaining more and more prominence as computer networking becomes ubiquitous. Sites with Internet-networked computers must pay special attention to security concerns since the Internet, by its very nature, makes attacking sites easier than ever before. The Internet is growing at an incredible rate. As a result, the demand for expertise in security is likewise growing. In fact, the need for security expertise seems to be so great that there is no alternative to co-opting \outsiders" such asmyself into the discipline. One question we would like to address at the Invitational Workshop on Computer Vulnerability Data Sharing meeting is: \how can an expert researcher from outside the security community become an expert in security and vulnerability issues?" We come to the security research arena as researchers experienced in other areas of computer science (for McGraw, articial intelligence, cognitive science, and software engineering and for Ghosh, computer engineering and software reliability). Our pursuit of knowledge about security has been to some extent hampered by the lackofacentralized repository of vulnerability data that can be used in experiments and analyses. This position paper includes a few observations that we have made as \outsiders" learning about computer security. In general, we have been unpleasantly surprised by thelackofresources in the security research community. Although there are some general books and a couple of reasonable journals, the software security discipline sorely lacks a common repository of vulnerabilities. The CERT alerts, for example, are purposefully vague and usually amount topatch-distribution documents. Finding out exactly what a security vulnerability is and how it can actually be exploited is not a straightforward task. Subscribing to some of the many \underground" mailing lists and newsgroups is both a time consuming and a frustrating way of coming up to speed. This brings up the question as to what a reasonable level of abstraction for vulnerability denition might be. The answer to this question is unfortunately complicated by the fact that broadcasting exploitation scripts and spreading the word about non-patched vulnerabilities is simply not feasible. Obviously, caremust be taken not to spread \cracking" expertise far and wide (throwing kudzu seeds to the wind, so to speak). But there seems to be a severe lack ofany legitimate path to knowledge of computer security, especially with regard to actual exploitation 2
3 scripts. As security takes on a more prominent role in computer science, this lack will need to be addressed. From a software engineering point of view, or more specically a software assessment point of view, the more vulnerability knowledge we software engineers have, the better tools and assessment techniques we can develop. As a concrete example, consider that the ARPA-sponsored research project that we are currently involved in has the goal of developing a security assessment prototype tool based on fault-injection [2,3]. The more that RST researchers can nd out about actual vulnerabilities (and not at some abstract level, but at the down-and-dirty machine level), the better our fault-injection and intrusion detection methodology will be. This brings up an interesting fact about the amount of overlap between software engineering needs and intrusion detection needs. We would argue that intrusion detection and software engineering require the same level of access to security data for use in experimentation. How these common needs overlap with incident handling needs is another story (one that we are not qualied to address). 2 Creating a shared database for research We are concerned about the lack of a vulnerability database something that exists as a glaring \hole" in the security research community. Our security work at RST can certainly be counted as one example of how and why such a database might be put to \appropriate" use. Another example is the vulnerability detection work of Stephanie Forrest at the University New Mexico [1]. Forrest also came to the security community as an outsider and has injected new ideas into the intrusion detection arena. Vulnerabilitydata insuch a database should probably be structured by several dierent classes of information including: operating system, date of discovery, some assessment of possible damage (including a severity rating), whether or not a patch has been created (and if so patch distribution information), cross-references to CERT documents, and a technical point of contact. It should be possible to search the database along any ofthese dimensions. It is our opinion that the database should include explicit and un-censored exploitation scripts as well as a detailed technical account ofthe vulnerability. 3
4 This information should be compiled in a central repository by an organization dedicated to improving security through information dissemination (such as CERT). Other possibilities include academic research groups, or possibly an agency of the U.S. Government (e.g., the NSA or NIST). In our opinion it would be a bad idea to have the database administered by a private corporation or individual as the potential of abuse through exclusive distribution may be too tempting. (Of course, the same possibility of \information hoarding" exists for academic groups as well, though the prospects are not as great.) The benets of centralized information versus information distributed across individuals and organizations include: (1) the ease by which researchers can obtain security vulnerability data from a single source, (2) a consistent validation scheme with regards to the accuracy of vulnerability descriptions, (3) a central locus for the dissemination of necessary patch information to the Internet-at-large, and (4) centralized control over dissemination of methods of vulnerability exploitation. We would imagine that CERT has to some extent dealt with most of these issues. It would be interesting to get their input. 2.1 Exploitation scripts We feel strongly that detailed descriptions of vulnerabilities including exploitation scripts and technical descriptions should be made available to legitimate researchers in security. Of course, this point begs the question as to how to dene just what a \legitimate" security researcher is. That point aside, without the means of re-creating actual vulnerabilities in a research setting, the development of tools to prevent future exploitation of software vulnerabilities will clearly be thwarted. I believe that the benets of making this information available to researchers and developers of commercial and/or public-domain security tools far outweigh the potential hazards of keeping too tight a \lid" on vulnerability data. In any case, some sort of cost/benet analysis approach is warranted in this situation since the decision as to vulnerability information release has both positive aspects (in terms of advancing research agendas) and negative aspects (in terms of arming the enemy). Perhaps the most important question arising out of this discussion is how to establish a \trusted user base" of security researchers and developers to whom the vulnerability database can safely be made available. Researcher 4
5 legitimacy can probably be propagated on the basis of trust (as is the case with some kinds of public key validation [4]). That is, if some trusted researcher (or two) vouches for a potential new security researcher or research group, then the new researcher should then be trusted. This sort of validation scheme would also help to foster a better sense of community between security researchers. A potential drawback to this approach is that it might result in too much of a \good old boy" network arising. It might not be a bad idea to implement some sort of minimal background check as part of the approval process as well. Once again, though, it seems clear to us that erring on the side of releasing too much information is far better than trying to keep everything secret and stiing progress. 2.2 Unpatched software As a related point, the release of unpatched (and thus vulnerable) versions of software should also be made available (though be restricted to the security research/development community) so that eective tools can be created based on known intrusions. These buggy programs would be used exclusively in a laboratory setting. 3 Conclusion From our point of view as a software engineers and researchers who are fairly new to security research, it seems obvious that the securitycommunity needs to address these issues head on. Though the issues are complex, it is clear that the lack of a central repository for detailed and specic vulnerability information is a hindrance to future progress in the eld. REFERENCES 1. Forrest, Stephanie, Stephen Hofmeyr, Anil Somayaji, & Thomas Longsta. (1996) A Sense of Self for Unix Processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, May Voas, Je, Gary McGraw, Anup Ghosh, Frank Charron & Kieth Miller. (1996) Dening an adaptive software security metric from a dynamic 5
6 software failure tolerance measure. To appear in the Proceedings of the Ninth Annual Conference on Computer Assurance, June Voas, Je, Gary McGraw, and Anup Ghosh. Dening an Adaptive Software Security Metric from a Dynamic Software Failure Tolerance Measure. Reliable Software Technologies Technical Report. March 28, Sterling, VA. 4. Zimmerman, P. PGP User's Guide, Volume I: Essential Topics. October Disclaimer the views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the defense advanced research projects agency or the u.s. government. 6
User Control Mechanisms for Privacy Protection Should Go Hand in Hand with Privacy-Consequence Information: The Case of Smartphone Apps
User Control Mechanisms for Privacy Protection Should Go Hand in Hand with Privacy-Consequence Information: The Case of Smartphone Apps Position Paper Gökhan Bal, Kai Rannenberg Goethe University Frankfurt
More informationSecure Programming for Fun and Profit
Secure Programming for Fun and Profit (Real World Experiences in Secure Programming) Scott D. Miller Security Analyst Arxan Research, Inc. Doctoral Student in CS Advisors: Aditya Mathur; Ray DeCarlo January
More informationCS 591: Introduction to Computer Security. Lecture 13: Evaluation
CS 591: Introduction to Computer Security Lecture 13: Evaluation James Hook Evaluation lo hi assure-o-meter 1 Evaluation Context: DoD identifies computer security as important in 70s (Anderson 1972) Recognizes
More informationCS 591: Introduction to Computer Security. Lecture 13: Evaluation
CS 591: Introduction to Computer Security Lecture 13: Evaluation James Hook Evaluation lo hi assure-o-meter Evaluation Context: DoD identifies computer security as important in 70s (Anderson 1972) Recognizes
More informationSoftware Component Relationships. Stephen H. Edwards. Department of Computer Science. Virginia Polytechnic Institute and State University
Software Component Relationships Stephen H. Edwards Department of Computer Science Virginia Polytechnic Institute and State University 660 McBryde Hall Blacksburg, VA 24061-0106 Tel: (540)-231-7537 Email:
More informationYour Data and Artificial Intelligence: Wise Athena Security, Privacy and Trust. Wise Athena Security Team
Your Data and Artificial Intelligence: Wise Athena Security, Privacy and Trust Wise Athena Security Team Contents Abstract... 3 Security, privacy and trust... 3 Artificial Intelligence in the cloud and
More informationMARCH Secure Software Development WHAT TO CONSIDER
MARCH 2017 Secure Software Development WHAT TO CONSIDER Table of Content Introduction... 2 Background... 3 Problem Statement... 3 Considerations... 4 Planning... 4 Start with security in requirements (Abuse
More informationEVALUATIONS OF THE EFFECTIVENESS OF ANOMALY BASED INTRUSION DETECTION SYSTEMS BASED ON AN ADAPTIVE KNN ALGORITHM
EVALUATIONS OF THE EFFECTIVENESS OF ANOMALY BASED INTRUSION DETECTION SYSTEMS BASED ON AN ADAPTIVE KNN ALGORITHM Assosiate professor, PhD Evgeniya Nikolova, BFU Assosiate professor, PhD Veselina Jecheva,
More informationYou will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.
IDPS Effectiveness and Primary Takeaways You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent. IDPS Effectiveness and Primary
More informationBasic Requirements for Research Infrastructures in Europe
Dated March 2011 A contribution by the working group 1 Access and Standards of the ESF Member Organisation Forum on Research Infrastructures. Endorsed by the EUROHORCs on 14 April 2011. Introduction This
More informationIntroduction to Programming
CHAPTER 1 Introduction to Programming Begin at the beginning, and go on till you come to the end: then stop. This method of telling a story is as good today as it was when the King of Hearts prescribed
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationPrivileged Account Security: A Balanced Approach to Securing Unix Environments
Privileged Account Security: A Balanced Approach to Securing Unix Environments Table of Contents Introduction 3 Every User is a Privileged User 3 Privileged Account Security: A Balanced Approach 3 Privileged
More informationResearch on outlier intrusion detection technologybased on data mining
Acta Technica 62 (2017), No. 4A, 635640 c 2017 Institute of Thermomechanics CAS, v.v.i. Research on outlier intrusion detection technologybased on data mining Liang zhu 1, 2 Abstract. With the rapid development
More informationSecurity Architecture
Security Architecture We ve been looking at how particular applications are secured We need to secure not just a few particular applications, but many applications, running on separate machines We need
More informationTesting is a very big and important topic when it comes to software development. Testing has a number of aspects that need to be considered.
Testing Testing is a very big and important topic when it comes to software development. Testing has a number of aspects that need to be considered. System stability is the system going to crash or not?
More informationUse of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
NIST Special Publication 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme Recommendations of the National Institute of Standards and Technology Peter Mell Tim Grance
More informationReview of the Canadian Anti-Spam Legislation
Review of the Canadian Anti-Spam Legislation Rogers Communications Brief October 17, 2017 1 Rogers Communications Deborah Evans 350 Bloor Street East Toronto, Ontario M4W 0A1 RCI.Regulatory@rci.rogers.com
More informationCIP Security Pull Model from the Implementation Standpoint
CIP Security Pull Model from the Implementation Standpoint Jack Visoky Security Architect and Sr. Project Engineer Rockwell Automation Joakim Wiberg Team Manager Technology and Platforms HMS Industrial
More informationA Practical Guide to Efficient Security Response
A Practical Guide to Efficient Security Response The Essential Checklist Start The Critical Challenges to Information Security Data breaches constantly threaten the modern enterprise. And the risk continues
More informationIntelligence Led Corporate Security Programs Why a Business Needs to Setup a Cyber Threat Analysis Unit
Intelligence Led Corporate Security Programs Why a Business Needs to Setup a Cyber Threat Analysis Unit Ian Cook 16th Annual Computer Security Incident Handling Conference Budapest, Hungary June 13-18,
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationOrganic Computing DISCLAIMER
Organic Computing DISCLAIMER The views, opinions, and/or findings contained in this article are those of the author(s) and should not be interpreted as representing the official policies, either expressed
More informationChapter 3: Google Penguin, Panda, & Hummingbird
Chapter 3: Google Penguin, Panda, & Hummingbird Search engine algorithms are based on a simple premise: searchers want an answer to their queries. For any search, there are hundreds or thousands of sites
More informationInter-Project Dependencies in Java Software Ecosystems
Inter-Project Dependencies Inter-Project Dependencies in Java Software Ecosystems in Java Software Ecosystems Antonín Procházka 1, Mircea Lungu 2, Karel Richta 3 Antonín Procházka 1, Mircea Lungu 2, Karel
More informationAn overview of the CERT/CC and CSIRT Community
An overview of the CERT/CC and CSIRT Community Jason A. Rafail October 2007 2007 Carnegie Mellon University Overview CERT/CC CSIRTs with National Responsibility Partnerships and Trust Training Conclusion
More informationInternet of Things (IoT) Attacks. The Internet of Things (IoT) is based off a larger concept; the Internet of Things came
Victoria Ellsworth Dr. Ping Li ICTN 4040 04/11/17 Internet of Things (IoT) Attacks The Internet of Things (IoT) is based off a larger concept; the Internet of Things came from idea of the Internet of Everything.
More informationThe Republic of Korea. economic and social benefits. However, on account of its open, anonymous and borderless
The Republic of Korea Executive Summary Today, cyberspace is a new horizon with endless possibilities, offering unprecedented economic and social benefits. However, on account of its open, anonymous and
More informationIMPACT Global Response Centre. Technical Note GLOBAL RESPONSE CENTRE
Technical Note GLOBAL RESPONSE CENTRE INTRODUCTION IMPACT s Global Response (GRC) acts as the foremost cyber threat resource centre for the global. It provides emergency response to facilitate identification
More informationBuilding an Assurance Foundation for 21 st Century Information Systems and Networks
Building an Assurance Foundation for 21 st Century Information Systems and Networks The Role of IT Security Standards, Metrics, and Assessment Programs Dr. Ron Ross National Information Assurance Partnership
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationWeb Security Vulnerabilities: Challenges and Solutions
Web Security Vulnerabilities: Challenges and Solutions A Tutorial Proposal for ACM SAC 2018 by Dr. Hossain Shahriar Department of Information Technology Kennesaw State University Kennesaw, GA 30144, USA
More informationMATERIALS AND METHOD
e-issn: 2349-9745 p-issn: 2393-8161 Scientific Journal Impact Factor (SJIF): 1.711 International Journal of Modern Trends in Engineering and Research www.ijmter.com Evaluation of Web Security Mechanisms
More informationWHAT IS THE FEASIBILITY OF A NATIONAL BIOMETRIC CENTER?
Chapter Five WHAT IS THE FEASIBILITY OF A NATIONAL BIOMETRIC CENTER? As noted in Chapter One, biometrics are a potential solution to Army needs. However, the findings of the previous two chapters indicate
More informationMARKETING VOL. 1
EMAIL MARKETING VOL. 1 TITLE: Email Promoting: What You Need To Do Author: Iris Carter-Collins Table Of Contents 1 Email Promoting: What You Need To Do 4 Building Your Business Through Successful Marketing
More informationThe Evolving Threat of Internet Worms
The Evolving Threat of Internet Worms Jose Nazario, Arbor Networks Why Worm Based Intrusions Relative ease Write once, run everywhere promise can come true Penetration Right past firewalls
More information5 IT security hot topics How safe are you?
5 IT security hot topics How safe are you? Why this whitepaper? We meet many people in IT, of various levels of experience and fields of work. This whitepaper is written for everybody who wants to read
More informationDevice Discovery for Vulnerability Assessment: Automating the Handoff
Device Discovery for Vulnerability Assessment: Automating the Handoff O V E R V I E W While vulnerability assessment tools are widely believed to be very mature and approaching commodity status, they are
More informationNetwork Working Group. Category: Standards Track July 2007
Network Working Group D. Blacka Request for Comments: 4955 VeriSign, Inc. Category: Standards Track July 2007 Status of This Memo DNS Security (DNSSEC) Experiments This document specifies an Internet standards
More informationIncident Response Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014
Incident Requirements and Process Clarification Disposition and FAQ 11/27/2014 Table of Contents 1. Incident Requirements and Process Clarification Disposition... 3 2. Incident Requirements and Process
More informationSneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security
Sneak Peak at CIS Critical Security Controls V 7 Release Date: March 2018 2017 Presented by Kelli Tarala Principal Consultant Enclave Security 2 Standards and Frameworks 3 Information Assurance Frameworks
More informationAFCEA Welcome/Opening Keynote Speech. Murad Bayar, Undersecretary for Defense Industries, MoND, Turkey
AFCEA Welcome/Opening Keynote Speech Murad Bayar, Undersecretary for Defense Industries, MoND, Turkey A Turkish Perspective on the Challenges of Security in a Network-Enabled Environment I would like to
More informationNATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium
NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium Securing Cyber Space & America s Cyber Assets: Threats, Strategies & Opportunities September 10, 2009, Crystal Gateway Marriott, Arlington,
More informationWeb-interface for Monte-Carlo event generators
Web-interface for Monte-Carlo event generators Jonathan Blender Applied and Engineering Physics, Cornell University, Under Professor K. Matchev and Doctoral Candidate R.C. Group Sponsored by the University
More informationBook Review: Cyber Security and Global Information Assurance: Threat Analysis and Response Solutions
Publications 2009 Book Review: Cyber Security and Global Information Assurance: Threat Analysis and Response Solutions Gary C. Kessler Gary Kessler Associates, kessleg1@erau.edu Follow this and additional
More informationMANAGE YOUR CONSTRUCTION21 COMMUNITY
MANAGE YOUR CONSTRUCTION21 COMMUNITY Online communities are spaces dedicated to exchanges, news watch and sharing of documents. By creating your community on a specific topic, you stand out as a national
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationMedical Device Cybersecurity: FDA Perspective
Medical Device Cybersecurity: FDA Perspective Suzanne B. Schwartz MD, MBA Associate Director for Science and Strategic Partnerships Office of the Center Director (OCD) Center for Devices and Radiological
More informationGraph Structure Over Time
Graph Structure Over Time Observing how time alters the structure of the IEEE data set Priti Kumar Computer Science Rensselaer Polytechnic Institute Troy, NY Kumarp3@rpi.edu Abstract This paper examines
More informationHow were the Credit Card Numbers Published on the Web? February 19, 2004
How were the Credit Card Numbers Published on the Web? February 19, 2004 Agenda Security holes? what holes? Should I worry? How can I asses my exposure? and how can I fix that? Q & A Reference: Resources
More information2016 Global Identity Summit Pre-Conference Paper Hardening Authentication Technologies
2016 Global Identity Summit Pre-Conference Paper Hardening Authentication Technologies Paper development coordinated by Cathy Tilton, CSRA This is a community-developed document. Information and viewpoints
More informationThe #1 Key to Removing the Chaos. in Modern Analytical Environments
October/2018 Advanced Data Lineage: The #1 Key to Removing the Chaos in Modern Analytical Environments Claudia Imhoff, Ph.D. Sponsored By: Table of Contents Executive Summary... 1 Data Lineage Introduction...
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationTHALES DATA THREAT REPORT
2018 THALES DATA THREAT REPORT Trends in Encryption and Data Security U.S. FEDERAL EDITION EXECUTIVE SUMMARY #2018DataThreat THE TOPLINE Federal agency data is under siege. Over half of all agency IT security
More informationCybersecurity Risk Mitigation: Protect Your Member Data. Introduction
Cybersecurity Risk Mitigation: Protect Your Member Data Presented by Matt Mitchell, CISSP Knowledge Consulting Group Introduction Matt Mitchell- Director Risk Assurance 17 years information security experience
More informationWhat is This Thing Called System Configuration?
PAUL ANDERSON dcspaul@inf.ed.ac.uk Alva Couch couch@cs.tufts.edu What is This Thing Called System Configuration? Tufts University Computer Science LISA 2004 (1) Overview Paul says: The configuration problem
More informationWEBINARS FOR PROFIT. Contents
Contents Introduction:... 3 Putting Your Presentation Together... 5 The Back-End Offer They Can t Refuse... 8 Pick One Target Audience per Webinar... 10 Automate Your Webinar Sessions... 12 Introduction:
More informationA Practical Look into GDPR for IT
Andrea Pasquinucci, March 2017 pag. 1 / 7 A Practical Look into GDPR for IT Part 1 Abstract This is the first article in a short series about the new EU General Data Protection Regulation (GDPR) looking,
More informationCybersecurity Auditing in an Unsecure World
About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity
More informationSOME TYPES AND USES OF DATA MODELS
3 SOME TYPES AND USES OF DATA MODELS CHAPTER OUTLINE 3.1 Different Types of Data Models 23 3.1.1 Physical Data Model 24 3.1.2 Logical Data Model 24 3.1.3 Conceptual Data Model 25 3.1.4 Canonical Data Model
More informationPrivacy and Security Aspects Related to the Use of Big Data Progress of work in the ESS. Pascal Jacques Eurostat Local Security Officer 1
Privacy and Security Aspects Related to the Use of Big Data Progress of work in the ESS Pascal Jacques Eurostat Local Security Officer 1 Current work on privacy and ethics in Big data Privacy Confidentiality
More informationALIGNING CYBERSECURITY AND MISSION PLANNING WITH ADVANCED ANALYTICS AND HUMAN INSIGHT
THOUGHT PIECE ALIGNING CYBERSECURITY AND MISSION PLANNING WITH ADVANCED ANALYTICS AND HUMAN INSIGHT Brad Stone Vice President Stone_Brad@bah.com Brian Hogbin Distinguished Technologist Hogbin_Brian@bah.com
More informationCategory: Standards Track Cisco Systems, Inc. March 2005
Network Working Group Request for Comments: 3993 Category: Standards Track R. Johnson T. Palaniappan M. Stapp March 2005 Subscriber-ID Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationModelling Cyber Security Risk Across the Organization Hierarchy
Modelling Cyber Security Risk Across the Organization Hierarchy Security issues have different causes and effects at different layers within the organization one size most definitely does not fit all.
More informationSecure Programming Lecture 1: Introduction
Secure Programming Lecture 1: Introduction David Aspinall, Informatics Edinburgh 15th January 2018 Orientation This course is Secure Programming. More accurately: it is about Software Security. Aimed at
More informationWHITEPAPER. Vulnerability Analysis of Certificate Validation Systems
WHITEPAPER Vulnerability Analysis of Certificate Validation Systems The US Department of Defense (DoD) has deployed one of the largest Public Key Infrastructure (PKI) in the world. It serves the Public
More informationSecond International Barometer of Security in SMBs
1 2 Contents 1. Introduction. 3 2. Methodology.... 5 3. Details of the companies surveyed 6 4. Companies with security systems 10 5. Companies without security systems. 15 6. Infections and Internet threats.
More informationEnterprise Cybersecurity Best Practices Part Number MAN Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationA CONFIDENCE MODEL BASED ROUTING PRACTICE FOR SECURE ADHOC NETWORKS
A CONFIDENCE MODEL BASED ROUTING PRACTICE FOR SECURE ADHOC NETWORKS Ramya. S 1 and Prof. B. Sakthivel 2 ramyasiva.jothi@gmail.com and everrock17@gmail.com 1PG Student and 2 Professor & Head, Department
More informationCPSC 320 Sample Solution, Playing with Graphs!
CPSC 320 Sample Solution, Playing with Graphs! September 23, 2017 Today we practice reasoning about graphs by playing with two new terms. These terms/concepts are useful in themselves but not tremendously
More informationUniversity of Maryland. fzzj, basili, Empirical studies (Desurvire, 1994) (Jeries, Miller, USABILITY INSPECTION
AN EMPIRICAL STUDY OF PERSPECTIVE-BASED USABILITY INSPECTION Zhijun Zhang, Victor Basili, and Ben Shneiderman Department of Computer Science University of Maryland College Park, MD 20742, USA fzzj, basili,
More informationThe Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA
The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA March 19, 2008 Contents Executive Summary...3 Introduction...4 Target Audience...4
More informationSecurity System and COntrol 1
Security System and COntrol 1 Security Management By: Joseph Ronald Canedo It is a Risky World Vulnerabilities Security objectives: Prevent attacks Detect attacks Recover from attacks Attacks: against
More informationThe next generation of knowledge and expertise
The next generation of knowledge and expertise UNDERSTANDING FISMA REPORTING REQUIREMENTS 1 HTA Technology Security Consulting., 30 S. Wacker Dr, 22 nd Floor, Chicago, IL 60606, 708-862-6348 (voice), 708-868-2404
More informationMedical Device Vulnerability Management
Medical Device Vulnerability Management MDISS / NH-ISAC Process Draft Dale Nordenberg, MD June 2015 Market-based public health: collaborative acceleration Objectives Define a trusted and repeatable process
More informationIt was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to
1 2 It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to keep putting garbage characters into the command
More informationThe data quality trends report
Report The 2015 email data quality trends report How organizations today are managing and using email Table of contents: Summary...1 Research methodology...1 Key findings...2 Email collection and database
More informationINFS 214: Introduction to Computing
INFS 214: Introduction to Computing Session 13 Cloud Computing Lecturer: Dr. Ebenezer Ankrah, Dept. of Information Studies Contact Information: eankrah@ug.edu.gh College of Education School of Continuing
More informationOutline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange
Outline More Security Protocols CS 239 Security for System Software April 22, 2002 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and
More informationBest practices in IT security co-management
Best practices in IT security co-management How to leverage a meaningful security partnership to advance business goals Whitepaper Make Security Possible Table of Contents The rise of co-management...3
More informationA Hybrid Approach for Misbehavior Detection in Wireless Ad-Hoc Networks
A Hybrid Approach for Misbehavior Detection in Wireless Ad-Hoc Networks S. Balachandran, D. Dasgupta, L. Wang Intelligent Security Systems Research Lab Department of Computer Science The University of
More informationHow to Stay Compliant with SMS Marketing
How to Stay Compliant with SMS Marketing Ensure your text campaigns deliver value to customers and keep your business secure GREAT TIPS INSIDE Even legitimate marketers can fall foul of mobile spamming,
More informationIt s Not If But When: How to Build Your Cyber Incident Response Plan
CYBER SECURITY USA It s Not If But When: How to Build Your Cyber Incident Response Plan Lucie Hayward, Managing Consultant Michael Quinn, Associate Managing Director each day seems to bring news of yet
More informationRisk-based Object Oriented Testing
Risk-based Object Oriented Testing Linda H. Rosenberg, Ph.D. Ruth Stapko Albert Gallo NASA GSFC SATC NASA, Unisys SATC NASA, Unisys Code 302 Code 300.1 Code 300.1 Greenbelt, MD 20771 Greenbelt, MD 20771
More informationBrian Drabble, Je Dalton and Austin Tate
Technical Report O-Plan Tasking Specication Brian Drabble, Je Dalton and Austin Tate Approved for public release; distribution is unlimited Articial Intelligence Applications Institute University of Edinburgh
More informationCalne Without Parish Council. IT Strategy
Calne Without Parish Council IT Strategy Version: 1.0 Status: Release Date: 5 th Feb 2018 Document History Change Control Date Version Author Description 25 Jan 2018 1.0a Jim Cook First draft. 5 th Feb
More informationEasy List Building System
Easy List Building System By Muhammad Ali Contents Introduction... 3 Step 1: Find a Quality PLR Product... 4 Step 2: Create Your Squeeze Page... 6 Seven Rules to Follow... 6 Step 3: Set Up Your Download
More informationState of the. Union. (or: How not to use Krebs as an IDS ) (Information Security) Jeff McJunkin Senior Technical Analyst Counter Hack Challenges
State of the (Information Security) Union (or: How not to use Krebs as an IDS ) Jeff McJunkin Senior Technical Analyst Counter Hack Challenges My background IT Systems / Network Administrator for City
More informationCYBERCRIME AS A NEW FORM OF CONTEMPORARY CRIME
FACULTY OF LAW DEPARTEMENT: CIVIL LAW MASTER STUDY THEME: CYBERCRIME AS A NEW FORM OF CONTEMPORARY CRIME Mentor: Prof. Ass. Dr. Xhemajl Ademaj Candidate: Abdurrahim Gashi Pristinë, 2015 Key words List
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report IEEE IEEE 2600.1-2009 Report Number: CCEVS-VR-10340 Dated: 2009-06-09 Version: 2.0 National
More informationRequest for Comments: 4633 Category: Experimental August 2006
Network Working Group S. Hartman Request for Comments: 4633 MIT Category: Experimental August 2006 Status of This Memo Experiment in Long-Term Suspensions From Internet Engineering Task Force (IETF) Mailing
More informationMICRO DIGITAL: TECHNICAL CRITERIA FOR MAKING THE RTOS CHOICE
MICRO DIGITAL: TECHNICAL CRITERIA FOR MAKING THE RTOS CHOICE 15 December 2008: Technical Criteria for Making the RTOS Choice INTERVIEWEE. RALPH MOORE PRESIDENT TEL. 714 427 7333 EMAIL. RALPHM@SMXRTOS.COM
More informationSix Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP
Six Weeks to Security Operations The AMP Story Mike Byrne Cyber Security AMP 1 Agenda Introductions The AMP Security Operations Story Lessons Learned 2 Speaker Introduction NAME: Mike Byrne TITLE: Consultant
More informationHuman Inputs. Software. Outputs to Physical System
Analyzing Software Sensitivity to Human Error Jerey Voas Reliable Software Technologies Corporation jmvoas@rstcorp.com Abstract Human operator errors in human-supervised computer systems is becoming a
More informationVulnerability Disclosure
Vulnerability Disclosure Rita Wells National SCADA Test Bed DoE-OE September 09, 2008 Department of Energy-Office of Electricity Delivery and Energy Reliability: National SCADA Test Bed Program Mission
More informationNetwork Working Group Request for Comments: Cisco Systems, Inc. December 2005
Network Working Group Request for Comments: 4243 Category: Standards Track M. Stapp R. Johnson T. Palaniappan December 2005 Vendor-Specific Information Suboption for the Dynamic Host Configuration Protocol
More informationOutline More Security Protocols CS 239 Computer Security February 6, 2006
Outline More Security Protocols CS 239 Computer Security February 6, 2006 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationEGM, 9-10 December A World that Counts: Mobilising the Data Revolution for Sustainable Development. 9 December 2014 BACKGROUND
A World that Counts: Mobilising the Data Revolution for Sustainable Development 9 December 2014 BACKGROUND 1 Creation of the group Establishment of an Independent Expert Advisory Group on the Data Revolution
More informationOccasionally, a network or a gateway will go down, and the sequence. of hops which the packet takes from source to destination must change.
RFC: 816 FAULT ISOLATION AND RECOVERY David D. Clark MIT Laboratory for Computer Science Computer Systems and Communications Group July, 1982 1. Introduction Occasionally, a network or a gateway will go
More information